The End of Digital Innocence: What Does the Epsilon Breach Mean?

Spot Quiz: What does the word epsilon mean to you? It is the fifth letter of the Greek alphabet. As I recall, in its lowercase form, epsilon stands for elasticity, among economists. There might even be a fictional spy named Epsilon.

I’ll bet that up until a few days ago you didn’t know that Epsilon was also the name of a company that has exposed millions of Americans (including you, most likely) to the increased risk of imposter fraud, a crime that made it to the Federal Trade Commission’s top ten complaints list this year for the first time. Epsilon is a unit of Alliance Data that collects consumer information from hundreds of corporate clients to manage their email marketing campaigns.

On April 1st, Epsilon posted a terse announcement on its corporate website, which set off a media frenzy and confirmed, yet again, the end of the Age of Digital Innocence:

IRVING, TEXAS – April 1, 2011 – On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Apparently, an unknown cyber ninja (or coven of ninjas) had efficiently and maliciously gained unauthorized access to the Epsilon system and caused, according to Michael Kleeman, a network security expert at the University of California, San Diego, a “massive hemorrhage” of what has heretofore been considered non-personal identifying information, yet now is viewed by a growing number of privacy experts as the Social Security Number in the Digital Age—the email address combined with a name. In other words, the data that consumers provided to many large companies, such as J.P. Morgan Chase, Citibank, Kroger, Target, Best Buy, Disney Destinations and Verizon, could now be in the hands of guys we would never want to friend on Facebook.

If you didn’t know anything more than that, it would be horrifying enough. After all, despite thousands of privacy policy disclosures and enormous media attention, most folks don’t know (or don’t want to know) that information provided to trusted financial institutions, service providers or retail stores is shared with other companies. Again, I’ll bet most Americans didn’t know that there even was a company called Epsilon. But worst of all, we still don’t know, even now, how much information Epsilon really has, or which information was truly hacked. It was publicly announced that, not to worry, only email addresses were stolen. I received several frantic emails from banks with which I have relationships assuring me that only my email address was no longer secure.

Let’s make the salutary (and perhaps facile) assumption that the press releases and email alerts are accurate. So all the bad guys have is our email addresses and our names, right? No biggie, right? Well, not exactly. The problem is that our email addresses are also our user IDs on many websites. Few people are willing to change their email addresses, because too many other people would have to be notified. So in my case, I will have to strengthen my already strong passwords—again.

Heck, it’s gotten so complicated that my current password contains several letters (some upper-, some lowercase), a few numbers, and symbols I have inserted in the place of letters (and forget about the punctuation marks I must now liberally sprinkle throughout). It seems like no password—even those reminiscent of chemical compounds—is enough anymore. (To say nothing about the “secret questions” many sites rely upon in lieu of forgotten passwords. In the Facebook age, it’s not difficult to figure out someone’s high school or mother’s maiden name, so users should establish answers to these as secondary passwords or responses completely unrelated to the question prompt.)

A Focused Attack

A hacker who has your email address, and your name, and the names of the businesses with whom you have relationships can launch truly insidious “spear phishing” attacks and, who knows, in a moment of acquisition ecstasy or carelessness you might just bite. In response to a very personalized email, people are much more likely to reveal truly personal information, or click on attachments far more venomous than the usual ham-handed and misspelled spam letters. Our whole lives are contained in our email files, as well as any confirmations of changes in our digital existence (and lest we forget, all password changes are confirmed back to our email). So when you innocently click on what appears to be an official memo, or email your BFF (or community thereof) to share the news about that great new car you just bought, voila!, you just provided another gateway to your digital soul, and handed a very clever and patient thief yet another piece of the puzzle they so lovingly cobble together in order to become you for their benefit. In the digital age, your email address, unique and personal to you, is as much of a unique identifier as your Social Security number. In fact, your email address may allow you to be financially “profiled” by very criminal minds.

“When one has tens of millions of email addresses and an effective spear-phishing strategy, even if only a low percentage of targets respond, we are still looking at millions of people who could unintentionally release their personal information to the wrong people, or unknowingly click on a malicious link that installs malware on their computer,” says Ondrej Krehel, information security officer at Credit.com’s sister company, Identity Theft 911. “Worse yet, these emails can be sent from all of their affiliations in the Epsilon database, perhaps on a weekly basis. The magical combination of customer emails and their affiliations with institutions gives hackers a more direct route for monetization.”

The Epsilon breach was the most high profile, yet not most potentially devastating, breach to happen in the last few weeks. In March, RSA Data, a provider of information security, risk and compliance solutions, also announced—rather grudgingly and in abstruse terms—a major security breach. Even now, no one knows the full extent of that breach. But a clearer picture is emerging of how it happened. An innocent (not terribly prescient) employee of RSA actually opened an attachment to an email with the subject line “2011 Recruitment Plan.xls” even though he found it in his junk mail file. The attachment contained a virus which enabled the hackers to probe him and others for a couple of days, using their email contacts and information to dig deeper and deeper into the mysterious world of RSA until ultimately they isolated the right high access players who were the gateway to a very discrete section of the RSA system.

I am not talking here about some guy sending annoying spam to folks at RSA for his amusement. It was an “advanced persistent threat” attack that targeted their SecurID two-factor authentication product. Relentless, patient hackers spear-phished RSA employees using sophisticated and clandestine means to gain continual, persistent intelligence, according to a recent blog post by Uri Rivner, head of new technologies, identity protection and verification at RSA.

There is a theory that this was a state-sponsored hacking by a foreign government. Another theory, too, is that it’s corporate espionage, in which globally divided superpowers compete for intellectual property.

Not About the “Quick Hit” Anymore

For years we have been telling people that unless you are talking credit card or account compromise, it is not about the quick hit. Now that affected institutions have taken Paul Revere’s ride through their customer base, it is not a slam dunk that millions of consumers will be instantly spear-phished.

Identities are currency. They are evergreen. Like fine wine they get better with age.

The trajectory of this crime is much more subtle. It will be done over time by very calculating and patient hackers adding one piece of the puzzle at a time. Over a period of months, even years, email will arrive from impostors posing as businesses representing all aspects of our lives. They will ask for a tad of information here and there, offer a link to an irresistible deal, call upon us to make an impulsive decision and provide some personal identifying information in return for a product or service we can’t live without. They will engage us, attempt to garner our trust, compromise our information or turn our computers into transmitters of account numbers and passwords.

With that firmly in mind, there are several things we must do: we must better secure our computers, be more skeptical and less forthcoming. We must read, think and evaluate the logic and value of the request and the reward before we click on any button other than “delete.”

So maybe Epsilon was aptly named. As it turns out, the company became entrenched in something out of a spy novel, and it certainly demonstrates “elasticity” of information, doesn’t it? Ronald Reagan wisely said in a different context “trust but verify.” He was talking about nuclear arms, but our subject can also be deadly—fiscally—on a grand scale. The sad truth is that in the digitally dominated 21st century, you can forget about the trust part. Verify and protect everything. Always. Vigilantly. The World Wide Web is not a court room, but you can easily be made an innocent victim without due process.